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INTRODUCTION 


As part of public infrastructure, land, sea, and air transportation infrastructures play a 
very important role in the economic system. By providing mobilization access for people, 
products, and services required by the economic development, and triggering economic growth 
of the surrounding areas, the condition of the transportation infrastructures significantly 
contributes to the gross domestic product (GDP) and many other economic indicators of a 
nation. Kawulur et al. even stated that the role of transportation in economic development is 
generally even bigger than just the value contributed by the transportation sector into the GDP 


(Kawulur, 2020). The total length of toll roads lately has become one popular indicator for 
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assessing a country's economic development regarding the land transportation infrastructure. 
According to Noor et al., toll road development will affect the regional and economic 
development of two areas that are connected by the toll road (Noor, 2017). In Indonesia, trans- 
area road and toll road developments become part of strategic priority projects of the Medium- 
term National Development Plan 2020-2024 released through Presidential Decree No. 18/2020. 
Indonesia Toll Road Regulatory Agency stated that there would be additional 410 kilometers of 
17 new toll road sections in 2021 to achieve the total annual target of 2.756 kilometers 
(Bisnis.com, 2021). According to the Ministry of Public Works and Housing spokesperson, a total 
of 2.391 kilometers of toll roads are operated per April 2021, consisting of 62 sections all over 
Indonesia (Liputan6.com, 2021). 
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Figure 1. The vision of the Ministry of Public Works and Housing 2020- 
2024 & 2030 


(source: adapted from Strategic Plan of the Ministry of Public Works and Housing 
Year 2020-2024, 
released by Ministry of Public Works and Housing, 2020) 

As important as its contributions to the economy, and operating toll road also gives 
many benefits to the society, such as shorter route and time in traveling, good quality and 
car-friendly road surface which reduce potential damages to the car, saving money from lower 
petrol consumption on shorter time and congestion-free journey, safer rest area to pull over in 
an emergency compare to alternative back-roads, more reliable factor in travel planning and 


budgeting (Emovis-tag.co.uk, 2020). These benefits reflect the effectiveness of the toll road 
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operator in fulfilling its public service obligation, which is maintaining the toll road to keep 
well-functioning for public use. However, many risks may hinder the toll road operator from 
achieving targeted toll road performance. For instance, a roadblock or traffic congestion can 
occur anytime from an accident, natural causes like landslide or flood, road damage, political 
rally, toll gate malfunction, maintenance or repairment project, or simply because of an 
overload traffic during public holidays (Satriaputri, 2015). These risks are only some examples 
of the risk universe of the toll road operation that bring the necessity for a toll road operator 
to have a sound risk management in place. By practicing effective risk controls and 
treatments, the toll road operator increases their readiness to anticipate the risks that may 
impair the toll road performance and respond quickly to the occurring risks. 

According to ISO 31000:2018, an organization should continually improve the suitability, 
adequacy, and effectiveness of the risk management framework and the way the risk 
management process is integrated, where these improvements should contribute to the 
enhancement of risk management being practiced throughout the organization. One particular 
state-owned enterprise (SOE) in Indonesia, i.e., XYZ, would like to understand better whether 
its risk management practices have met best practice criteria and identify opportunities for 
improvements to make necessary enhancement of its risk management in a well-planned 
manner. To effectively meet this objective, the company applied a risk maturity assessment 
model which aligns with the adopted best practice reference, the ISO 31000. Such model is 
well fitted by ERMA ISO 31000 RM3 that has been designed and built upon the ISO 31000 
standard covering the risk management principles, framework, and process. The assessment 
model suggests five levels of maturity: initial, repeatable, defined, managed, and optimizing, 
and consists of 6 assessment attributes which are cascaded down into detailed indicators, 
parameters, and testing factors (ERM Academy, 2021). 

This research focuses on how XYZ uses the ERMA ISO 31000 RM3 model to assess its 
risk management maturity. The results of this study help the management of the XYZ in 
understanding their risk management maturity level and identifying the necessary 
improvement that needs to be done to maintain and increase internal capacity in fulfilling 


their public service obligation as toll road operators. Furthermore, this study may also 
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benefit from the management of an SOE or any other companies and organizations in 
identifying the effectiveness of their risk management practices and other researchers in 
their quest of conducting related research in the future. 

METHODS 

The object is one of the largest Indonesian SOEs which serves public interests in the 
transportation sector. Becoming a public listed company in 2007, the company today is an 
operating holding company of 21 subsidiaries and 10 joint venture companies. It manages 
more than its 104 thousand billion Rupiah assets through three business lines, toll road 
operators, toll road maintenance, and other related business. At the end of 2020, the company 
has operated more than 51% of all toll road sections throughout Indonesia, consisting of more 
than 1.100 kilometers. However, the company's name could not be disclosed due to 
confidentiality. 

This study uses a combination of two data collection techniques, document reviews and 
supported by interviews with members of the board of directors and division heads to support 
and validate the information gathered from the document review process. All information is 
then compiled and mapped into more than a hundred testing factors of the ERM ISO 31000 
RM3 model to calculate the aggregate scores of 6 assessment attributes and determine a 
single maturity score as the final assessment result. The ERM ISO 31000 RM3 algorithm also 
includes defining indicators of the assessment attributes, which group the testing factors into 
fifty-plus parameters. By using the ERM ISO 31000 RM3 model, the XYZ can identify the score 
of its risk management maturity and the score of each assessment attribute and identify which 
indicators of the assessment attributes the company gets a considerably low score. Based on 
the result, the study further develops a road map for the XYZ to obtain a higher maturity to the 


level as targeted by the top management. 


RESULT AND DISCUSSION 
There are two combined methods of data gathering used in the field research. 


First is document review covering annual report 2018 and 2019, interim financial 


report Jan - Jun 2020, risk management report 2018, 2019, and 2020, incident/loss 
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charters. The second method is one to one interview with members of the board of 


directors and all division heads. 


Based on document review and interview results, the ERMA ISO 31000 RM3 
algorithm shows the scoring result of 3.62. This result suggests that the overall 
company's risk management maturity is at the DEFINED level, which reflects the 
structured and systematic risk management the company has in place. The result is 
also reflected from the risk management practices that are becoming more integrated 
with the company's governance practices, and supported by broader and stronger risk 
competency, leadership, and commitment. 

The following are the detailed result of each assessment attribute and its 

respective scoring value that forms the final scoring value at 3.62 by using the 
arithmetic mean. 


Figure 3. Result of Risk Management Maturity Assessment of XYZ 


1. Risk Management Framework at scoring value 3.64 
The field research finds several evidence-based contributing factors to this 
attribute; for example, the organization executives have discharged their accountability to 
integrate the risk management into the business processes while the board of 
commissioners has actively overseen the integrations, where the integrated risk 


management practices are conducted consistently. Moreover, there is some other 


138 


International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 
https://journalkeberlanjutan.com/index.php/ijesss 


evidence showing that the boards' commitment to integrating risk management is clearly 
articulated, supported with a formal set of roles, main duties, functions, authorities, and 
accountabilities for every internal stakeholder who is being involved in risk management. 
In addition, required resources for risk management have also been allocated 
considerably. 

Despite those contributing factors above, some other evidence shows that the risk 
leadership of the top management are still not consistently visible to all lower 
management levels, the integration of risk management still has not fully satisfied the 
needs of the organization based on its internal and external context, and risk 
communication and consultation within the company has not fully supported with required 
data analytic function while the company is still improving data validity in presenting them 


real-time on the company dashboard. 


2. Risk Management Process at scoring value 4.45 

Many parameters of this attribute have been satisfactorily fulfilled, making this 
attribute the highest score among other attributes. Based on the evidence, many risk 
management practices have been integrated into the business process, consistently 
conducted in full cycle, and supported with appropriate IT/IS tools. In addition, every 
unit/function throughout the organization has already had a practical plan or design on 
how to integrate the risk management into its business processes, while from these 
integrating plans, a company's grandmaster plan for risk management integration has 

been formalized. 
However, the integration processes of risk management are still in progress, and 
there is also evidence that shows that the effectiveness of the integration has not been 
measured or evaluated properly both on core and supporting business processes, thus it 


is not consistently included in the risk communication and consultation of the company. 


3. Management Process at scoring value 3.65 
The evidence from the field research shows there are contributing factors to the 


attribute's score; for example, appropriate risk assessment and treatment planning 
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processes have been embedded with the company's strategic planning, and there is an 
adequate set of KPIs have been set to measure the effectiveness of the strategic plan 
execution, including the effectiveness of respective risk treatments where the 
interconnections with the effectiveness measurements of the operational risk 
management at the business process or activity levels can be traced down. 

On the other hand, the result of the field research also shows that during the 
strategic planning, there is some internal and external context of the company which is 
not thoroughly considered in the risk assessment process, not to mention that the 
company has not evaluated the adequacy of the strategic planning itself in a regular 
manner where the company more depends on its compliance with the regulatory 


requirements on formulating a strategic plan. 


4. Performance Management at scoring value 3.22 

The field research results show that every objective has been defined with SMART 
criteria, KPls have been set by carefully putting the identified risks and respective existing 
risk controls and treatments into consideration, and risk monitoring and evaluation has 
been embedded with the performance monitoring and evaluation mechanism. 

Although there are many contributing factors are found, the result of the field 
research also shows that to a certain extent, the improvement of the company's 
performance can still sometimes be quite challenging due to a dynamic changing situation 
where the contribution from the existing risk management practices is still considerably 
limited. 

5. Risk Management Culture at scoring value 3.37 

The contributing factors to this attribute's score are that risk philosophy has been 
adopted into the written organization culture, accountabilities in risk management have 
been clearly defined and discharged in a disciplined manner, and promoted with a suitable 
remuneration scheme. Also, the tone from the top has been implemented at every level of 


the organization, and is supported with sufficient risk awareness at every corner of the 
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organization and a positive attitude towards risk with risk competency shown at every 
level of the organization. 

However, the field research also finds that the company’s risk appetite framework 
has not yet been formalized, the risk governance structure still needs enhancement due to 
the increasing business complexity of the company, while the integration of risk 
management into personnel allocation and promotion mechanism is_ still under 
development. 

6. Resilience and Sustainability at scoring value 3.40 
Relates to this attribute, the company has adequately performed the 
environmental risk assessment and treatment and the risk assessment and treatment on 
the company's people, supply chain, information system, infrastructure, and financial 
resilient in anticipating the possible disruptions. 
The evidence that is less contributing to the attribute's score is that the assessment 
methods on the company's economic, environmental, and social sustainability are still 
under development where the company is still seeking the most practicable approach 


and methodology, especially in conducting the process in a fully quantitative manner. 


CONCLUSION 
The study shows that by using the ERMA ISO 31000 RM3, the SOE under this study can 


measure the maturity of their risk management, which is at the stage of DEFINED with a 
maturity score of 3.62. Based on this result, the company's management can develop a road 
map that assists them in increasing the maturity level of their existing risk management to a 
desirable level. In this regard, the management can prioritize their improvement first on the 
low score attributes, the performance management, risk culture, resilience and sustainability, 
risk management framework, and the management process, while maintaining their current 
practices of the risk management process, which has already reached a considerably high 
maturity level. In addition, the management also needs to define quick wins to increase the 
maturity score of each attribute and prioritize them in the short and short-to-medium term 
plan of the road map, while planning further required improvements in the medium-to-long 


and long-term part of the roadmap. It confirms that not only the SOE can use the risk 
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management maturity assessment model to define the baseline of its current risk 
management practices and then support the SOE increasing the effectiveness of its risk 
management, but it also confirms that ERMA 1ISO31000 RM3 is applicable and suitable 
maturity assessment model for ISO 31000 adopters for assessing their risk management 


maturity level. 


Despite the results provided, this study has limitations in terms of comparability with 
other SOEs and non-SOE toll road operators using the ISO 31000 as the main reference in 
their risk management practices. Thus, further research with a similar case study approach in 


other SOEs and other types of organizations is strongly recommended. 
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